Bug 164729 - Latest policy prevents httpd startup
Latest policy prevents httpd startup
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-31 01:00 EDT by Stefan Becker
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-04 13:11:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Becker 2005-07-31 01:00:16 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
The latest SELinux targeted policy prevents httpd from accessing the standard document root under /var/www/html. Therefore httpd doesn't start up anymore.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-6, httpd-2.0.54-10

How reproducible:
Always

Steps to Reproduce:
1. service httpd start
2.
3.
  

Actual Results:  # service httpd start
Starting httpd:                                            [FAILED]


During boot you can see an additional console message saying "Syntax error line XYZ in httpd.conf: DocumentRoot must be a directory".


Expected Results:  httpd should start up.

Additional info:

Excerpt from /var/log/audit/audit.log:

type=AVC msg=audit(1122785657.244:12643695): avc:  denied  { search } for  pid=3650 comm="httpd" name="www" dev=hda3 ino=917661 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=SYSCALL msg=audit(1122785657.244:12643695): arch=40000003 syscall=195 success=no exit=-13 a0=91f3758 a1=bfe8a314 a2=463ff4 a3=bfe8a314 items=1 pid=3650 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1122785657.244:12643695):  cwd="/"
type=PATH msg=audit(1122785657.244:12643695): item=0 name="/var/www/html" flags=1  inode=917661 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00

httpd starts up fine when run by hand outside of auditd control.

When I downgrade to the previous selinux-policy-targeted-1.25.2-4 http starts up fine.
Comment 1 Daniel Walsh 2005-08-01 09:35:40 EDT
Did you have
httpd_builtin_scripting turned off?

getsebool httpd_builtin_scripting

It needs to be turned on for this to work.

setsebool -P httpd_builtin_scripting=1
Comment 2 Stefan Becker 2005-08-04 13:11:37 EDT
Yes, that was switched off. When I enable it httpd starts again.


Is this a new setting? Or is this something new in the policy? It should be
mentioned in the update notice so that others don't have the same problem. Or
enable it by default in the new policy.

Resolved as NOTABUG.
Comment 3 Daniel Walsh 2005-08-05 14:05:08 EDT
It is fairly new to policy.  I do not recall if it was there before in RHEL4.
By default it should be set to true in /etc/selinux/targeted/booleans?

Dan
Comment 4 James Hunt 2005-12-09 10:57:08 EST
I have the same problem. Running, "setsebool -P httpd_builtin_scripting=1" does
fix the problem for me. However, although /etc/selinux/targeted/booleans does
indeed specify, "httpd_builtin_scripting=1", this variable wasn't set in my
running kernel until I forced it with setsebool. Is the a problem with the
selinux rpm's not reading /etc/selinux/targeted/booleans?

# cat /proc/version     
Linux version 2.6.14-1.1644_FC4 (bhcompile@hs20-bc1-1.build.redhat.com) (gcc
version 4.0.1 20050727 (Red Hat 4.0.1-5)) #1 Sun Nov 27 03:25:11 EST 2005
# rpm -qa|egrep "policy|selinux"
selinux-doc-1.19.5-1
policycoreutils-1.27.2-1.2
selinux-policy-targeted-1.27.1-2.16
checkpolicy-1.23.1-1
libselinux-devel-1.23.10-2
libselinux-1.23.10-2
selinux-policy-targeted-sources-1.27.1-2.16
# 

Note You need to log in before you can comment on or make changes to this bug.